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The privacy Act of 1974 (PL 93-579) and OMB- Teiseliines for” 


its implementation impose requirements on Federal y personal 
record-keeping pract‘ices. This report presents am im ementation 
strategy for the . administfation of /certain* Privacy Act 
requirements with the use of today's data , base management 
systems. These Privacy Act requirements are analyzed in the 
hy of data base software functional’ characteristics, - and 
‘implementation ~approaches utilizing commonly available.,data base 


- 


Management systems are described... As* these approaches cannot * 


- anticipate every possible situation, they should not be construed 
as‘ an official compliance “Standard , or legal interpretation 
regarding the Act's provisions.. Rather, they provide tools for 


’ efficient and effective’ computer utilization’ in: Privacy Act 


compliance by extending routine processing functions to include 
necessary administrative functions at minimal additional cost. 
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aA DATA BASE MANAGEMENT APPROACH - : 
\ oe . TO PRIVACY AC! COMPLIANCE —- ; ‘ 


‘ i glizabetn Fong 


the Privacy Act (PL ¥3- -579) provisions on, 
_ seeker ‘record handling present new .issues con- 
.cerning effective use of commercial aata base 
a management systems (DBMS) by Feaeral agencies. 
The widgespreda use of such ‘systems in record~ 
“~ keeping activities will aefinitely have an ‘impact’ 
' ‘ffi methods of administering compliance with the ‘ 
“Privacy Act. This report proposes’ a technical ap- 
Pies to compliance with certain Privac “Act: ren 
quirements. through the use of generalized: data 
base management system. kequiremernts © are. 
| translated into a set of computer aata file and 
procedures. these proceaures; incorporated at. 
pivotal points of data base software, can imple-"” 
ment those Privacy Act compliance procedures amen- °: 
able to automation. Tne use :of DBMS appears to be _ 
a viable and technologically feasible solution to % 
Nthe effective and/{eftficient umplementatssn ‘of many 
PEENERY Act provisions. 


“Key words: Computer utilization;. data base 
funttion$’; data base managenfent systems; Privacy 
~ fade ar. 1974; privacy compliance techniques. mg ae 
l. LNTROLUCTION 


‘ -Data Base management Systems (DBMS) provide: the tech- 


‘nology .wnich. makes it possible to administer vast recora- 


keeping on an efficient basis. Large computer files of 
several million records now are used-.in all but the smallest 
enterprises’to proviae current status information ana timely 
management for . personnel, inventories, property, tinancial 
accounts, and ‘other eu ions. Tnus, data base management 

for implementation of procedures and 
rivacy and facilitate compliance with 


safeguards .to aay 
U ‘ 


legislation. wh 


The Privacy Act Of 1974 (PL 93-579) {1] sets forth re- 


“quirements governing Fedéral agency personnel record- keeping 


practices... Th@ key to the -Privacy Act administration As the 
establishment of policies which control the use of personal 
- 


A -l]- : , . 


“concerning effective use of commercial data ba’ 
Systems by Federal agencies. The increasing usi 


' quirements. } 


procedures are typically manual. The questi 


=a 


‘data. The requirements imply that .certain dati 


usage and / 
dissemination be monitored and control ed. Thé Peivacy Act | 
provisions on personal record handling give ris@é to issues 
e management | 
“of DBMS /by 
heir missions 


agencies in their data processing to support 
raises the question of. how DBMS capabilities 
tageously used to aid the administration of Privacy Act re- 


1.1 npboyeien 


compliance) 
that arise 
procedures 
ether these 


NBS aeuerdence shows that agencies’ curre 


from this observation are (1) whether compliande 
are amenable to automation; and (2) if so, 
procedures should be incorporated in a generali 
management system. 


The two questions imply management decisions \that are’ t 
some extent unique to each agency. Nevertheles i 


DBMS to. implement provisions of ‘the @rivacy Act 
port is addressed to agencies (1) that are prese 
computers for record storage, and (2) that eithe 
DBMS, Or consider the future acquisition of a DBM to be 
distinct - possibility. If the agency is in this ituation), 
this report should aid in its efforts to comply \with t 
Privacy Act and to determine what. DBMS PADAPALED) $ can’ 
advantageously: used. \ em 


The report is aimed, in particular, at» data: * base ad- 
ministrators or datg base managers. Those agencies \¥i 
iia g DBMS can expect to learh what their system ¢ 
in omplying with; the Act, and what ways of using the’ DBMS 
to iupichaak the Act's provisions. are most likely to | be 
‘feasible.’ For those agencies without an: existing DBMS ‘this 
Study can point out in what ways a DBMS could help th m/ in 
implementing Feu erenenes of the Privacy Act. 1 


1.2 Scope 


The “scope of this study is limited to those. complizance 
requirements with the Privacy, Act which we judge ta b q 

Candidates for automation by means of a data base ‘ mainage- 
ment system. For official guidance on specific instructions 
on compliance, the reader is dirécted to several “pels vant 
GOSUREN ES. (2, 3,4]. The OMB Circulae No. A-108 [2] a fines- 


dad data base). 


& 


« 
\ 


¥ 


In “the proceedings ef a workshop “pata Base Directions ~ The 
Next /Step" [6], the section on "Impact of Government Regula- 


_tions" assesses the impact of regulations on ddta base sys- 


tem functions. Compliance requirements mentioned in this 
report are taken from all of the above mentioned docyments.. 


Physical security ‘and “appropriate safeguards" aspects’ 
are treated in FIPS PUB 41 [4], and will not be covered in 
this ‘study, The security aspects invdlving daccidential- or » 
intentional disclosure to unauthorized persons are not 
directly addressed. : eae. : , ; 

For the purpose of this study, a DBMS is ‘characterized. 
as a generalized software package, which provides a single. 
flexible facility for accommodating different data files and 
operations while démanding less programming effort<than con- 
ventional programming languages, e.g., COBOL. DBMS software 
possesses the gestoweny geheral properties: 


« . Tt Esetlitates operation on data 
such as data definition, data storage, data 
Sete We ncenange data retrieval, and oytput. a rn 


«; ct ‘facilitates reference to data by 
name and not by physical location. ’ Be g 
- It operates in a‘’software environment which is not’ 
-tied to a particular set of ‘application programs or 
files, ‘ a 
It is also assumed that the data base contains data 
constituting all or part of a "system of records," as de- 
finea in the Privacy Act. ae eRe ; 


‘ ‘ g* i 
’ e: 
1.3-Approach ! A ff 
. % 
‘ : . ig 
The overall approach in this report is .to gather two i 
diffefent sets GF data. for analysis. These data are: . Fs 
° f 
- Privacy Act. requittements translated into compliance a 7 
proceaures that ae be automated. : ' , j 
ey mJ Pi ; y 
- Functional character iota wiki current DBMS softwa ie if i 


for implementing Privacy Act compliance actions. 


The Privacy Act requirement analysis, provides in Ss 

in the development of a set of data and procedures for cam-. 
pliance with Privacy Act requirements. Those compliance ac-7 ee 
tions identified are slightly different from Goldstein*d ris 
(7,8], whose compliance actions-are ‘used for evaluating 

Sere of alternative compliance methods.: For example, ren 

vision of forms, training ‘of personnel, etc. are considered 


s~ 


4 


° 


4 
a . 


in Goldstein's work but are not amenable, to implementation 
in data base management systems. 

The second set of data gathered for analysis are the 
DBMS .functional characteristics. A set of data base func- 


tions are identified. These data base functions, if incor- 


porated in a DBMS, will in fact realize the Privacy Act com- 
; Ws 


.pliance procedures. 


1.4 Guide tothe Reader 


The reader is assumed to be familiar with the Privacy 


-Act. Detailed analysis of relevant provisions of the Priva- 


cy Act appears in Appendix I. For purpose of this’ report, : 
the Act's requirements are classified into five functional 
areas: , - -" . 

- Collection of information. . , ? 

- ‘Maintenance and use of information 

~ (by the maintaining agency) ' 

- Data Subject access to and amendment of information, 

- Non-routine-use and disclosures of information, and , 

_« P@blic notice requirements 

these five functional areas are translated into compliance 
procedures. Supporting these compliance procedures are the 
data files necessary to perform the compliance actions. 
Section 3 of this report examines the data base management: 
system functional characteristics in terms of three phases: 
input, processing; and output, Within each phase, a set of 
DBMS functions are specified. These , DBMS functions are, »: _, 
shown in Section 4 to be those which implement specific com- 3 
pliance procedures., The correlation of requirements, come“ To a 


pliance Procedures, and ‘DBMS. functions appears in tabular t 
form in Appendix IT. The reference section contains brief iin 8 
annotations. , “t 
@ e a y wt 
| ae 
i *2. COMPLIANCE: DATA AND PROCEDURES ’ ¢ 


? 


To develop an, implementation strategy for’ meeting the 
Privacy Act requirements, it is assumed that an agency has 
(1) a system of recgrds containing personal information, and 
(2) a data base management system as nucleus software to 
process this system of records. The’traditional data: base 
environment consists of a data base containing files with 
records of information, plus a ':et of supporting application 


he Z 
9 - x 


/ 


programs.°* 


To accommodate’ privacy demanus, an additional set of 
application ‘programs ; an@ supporting data files are 
necessary. The ,design of the data _ files, and ‘the 
specification . of the application* programs which are 
referred to as compliance procedures, are identifieq ana 
presented below. -” 


2.1 Data Files’ ana bata Elements 


= The data needed in Support of compliance procedures 


-\ assumes the .exiStence’~ of a data base containing personal 
\information. This data base is installed on a DBMS which is 
\commercially available. General criteria’ for data base 


Organization can be quite flexible depending on the data 
relations of the’ systems vof records being established. 
Specific fileS and data eléments are suggested here to be 
incorporated ‘as part of ‘the Privacy implementation data 
base. i : : 


: It is also assumed that the data base has an distinct 
logical ‘segment ' containing tne system of -records of 
individual personal information which: will be ‘referred to 


-aS tne main file. Additional data fields are required for 


the implementation of Privacy Act compliance. proceaures. 
These additional data elements, added to thé logical 
segment, for each aata subject record in the main file are: 


~ Consent EIEN --Yes or No and date of consent. 
- Reference indicating the kind of 
consent. ‘ 


on 


- Disclosure Account field - mi 
ys - Number of times disclosure to indigiianl himself 
- Number of times” disclosure to .third-party 
- Number of times special disclosure 
' * Number of times disclosure denied : 
- Indicator leading tosan entry in pisclésure 
Account (DA) file descnibed later. ‘ 


Dispute fiela - yes o O, 
tas It yes, set indicator leading to 
Statement of Dispute (SOD) file 
described later. 


' ' 
’ 


Several adaitional files might -be associated with a 
System of records containing personal information. The 
specification of tnese files and tne aata elements required 
are identified below. Notice also that the abbreviated file 


/ {name wnich appears in parenthesis will be referenced in the 


compliance procedure tables in appenuix Il. 


¥\ e* 


STATEMENT OF DISPUTES FILES (SOD). This file contains 
nformation of all-the disputes. | AS described above, it\is 
assumed that, in the main file, the individual record 
«ontaining disputed data about an individual is flagged qnd 
a pointer mechanism would lead to a record of thi OD 
file. Each record would have the following data elements: 


| a 
\- Date of aispute 


sa tLe of Dispute - Textual deserivtion of dispute’ 
Agency Reason for Refusal = Textual descripfion of 
refusal P 
- Status - judicial review or other legal remedies | 
_~ Disputea data element name - The data element in, | i 
dispute j 
- Disputed data value - The data value in dispute | 


‘DISCLOSURE ACCOUNTING FILE (DA). This file contains. records 
oF all the disclosures. It is assumed that the individual 
master’records contain three types of disclosure flags: 
Gisclosure initiated at the data subject's request, third- 
party disclosure, and special disclosure. In fact, these 
flags can be the "count" of each type of disclosure for this 
particular record. Indices or pointers would lead to ‘the 
existence of ‘this. DA secord. Each record ‘in the DA file 
would have the following’ data*elements: * 


fea) 
- Date of\ disclosure - 
- Purpose'of aisclosure - Textual’ description. 

- Data element§ --List of data element names disclosed 

- Data values - List of corresponding values disclosed 
-* Name - Person or agency to whom disclosure is made ~ 

- Adaress - Person or agency to whom disclosure is made 


PUBLIC NOTICE FILE (PN). The law requires that an anal 
report for each sy system of records must be submitted by April 
30th of each year. The’computer maintenance of this file is 
optional. The PN file’ may be defined when establishing a 
new system of records. The conténts of the file are: used 
for the announcement notice in the Federal Register and can 
‘be maintained also and used for eventual-annual review and 
reporting purposes. The file may contain the following 
data elements: | ‘ 


. 


- ' System Name 

-. System’ Location -— 

- Categories of’ Individuals 

- Categories of records  - 

-Authority for Maintenance 

- Routine uses 

‘= Policies and practices regarding storage. 
Policies and practices regarding retrievability 
Policies and practices regarding safeguards © 


ee i. 


,! 


1 


ag 
Fe : 


¢ 


Policies and practices regarding retention and- agent 
‘System manager and address 


, Notification Procedure Get 4 a ae Ae , i 

- Record access procedure - i a 

. Name and a dress of administrator for disputing i oR 
Record source categories (how source information is ae 


obtained) \ ee 


’ ; are 
IFICATION NOTICE -FILE (NN). This may be a small file Nath 
whic Can perhaps be a subpart of the PN file. Specific~ NS 
information requirements will be ¢stablished when the new © ~ \ 
system of records is in effect. This file may be used to— 7 
notify individuals of the existence of personal information 
collection and maintenance by an agency. This file needs to 

be modified when a new use of an existing file occurs. Data ~ 
elements consist of: 


- The authority : 
- . The\ purpose 

- ‘| The \routine use , 

ffect ey Aes 


STATISTICAL\FILE (STAT). The ,OMB Guidelines [2] require, ge 
that the agency also keep statistical information. A’ ”.' 
Separate ‘fil@ may be established containing the Paeedage - 
data elements such as:;: i% 


Number of subjects from whom information is collected 
Number who refuse to provide information. 
Number of individuals requesting access + 
Number-of individuals refused access e : 
Number of refusals appealed 
Nuinber of cases ending in judicial review 

- Number of times time limit was not met by the Agency 


« 
‘ 


2.2 Compliance Procedures eos i" . 
Each Privacy Act requirement identified is translated 
Side-by-side with the compliance procedures using a tabular 
format. See the first two columns of Appendix II. within 
the procedure speqgification, data file references are made 
using the acroyinn esignation indicated in the previous 
sections. : , 


PS 


Five broad areas of Privacy. Act requirements are 
identified to facilitate identification of compliance 
rocedures that are relevant in a DBMS environment. In 
Appendix II, the compliance procedures for each of these 
areaS are grouped in five separate tables... Table 1 lists 
the requirements for collection of information. Table 2 
lists the requirements’ for maintenance \ and use (of 


co 


-7- 


te eee, é 
moment. iT 

} 
td } 


h ’ 
MHformation ‘by.the maintaining agency. lable g3 lists - the: © 
data subject access, amendment and dispute handling 
. + requirements. Table 4 lists the disclosure requirements. Inieuailll 
> The various conditions of disclosures are presented with an .. 
additional two columns indicating whether accounting and 
“ consent are necessary. Table 5 lists the public notice 
requirements.: gh ts eo z 4 * 


° Cpe In the next ‘section, ‘relevant DBMS functions will be 
* « identified ana: then related to these compliance procedures. 


# 


* 
‘ ” 


: ‘ . | 3. DATA BASE FUNCTIONS 


. ; ‘ Current data base Yianagement functional capabilities 

- are .examined to develop a set of technical approaches to 

‘privacy compliance procedures. The specifications of the 

_ DBMS’ functions are generic in nature and do not impose any 
: _ ‘requirements on any particular type of DBMS. ‘These generic 
* DBMS functions identified are specifically relevant for 
implementing the Privacy Act. provisions’ These functions 
-are, for purposes..of clarity, Classified under three 
functional .phases: ‘input, . processing, and output. Each 

function identified under the three pnasés is numbered, and . 

prefaced with the letter "I," "P," and "O" representing 

input, processing and output phases. re A 


ne . 
- ff me og 


ae fewer 3.1 Input Phase a ne ? ¥ fs 
. Il = Data Collection » : 


Raw data collected from. individuals are usually” 

- J ¢  Gefined to the data base using the data definition 

‘ ‘ facility of the,system. . Adjunct packages such as a 

data.“directory or a dictionary, if available, can be 

a ie ‘sed as’a’tool to describe each data .element to. the 

ge a system. The definition will then facilitate the raw 
“+ data value collected to be entered into the systpm. "eas 


.I2 - Data BURLY a r.9 2 
- , . The data to be entered into the data. base can 
rl ‘either be bulk loaded qr added into the data base using * : 
sai the update capability.  Usuahbly. this feature is 
inherent in the DBMS software. cas 


13 - Data Validation - o 2 oo = 
» . : a 
The input data need to be validated to insute ~ 
, accuracy and integrity. Techniques range from data a 
ss ph rae te 
ie "" . Pt : $ * a oe | al 


ry . 


i 


. 


i 


‘“ ee 


e ee 


type checking to specific semantic consistency 


'» Usually sgme type of data validation feature 
ARHEUENE in DBMS available today. ; 


« 


14 - Notification Notice . . o 


a . 


: ¢ 


checks. 
he 


When establishing new information on a data 
. Subject, a notification notice is requirea by the 
Ps ‘Privacy Act.’ This could be an automatic print out of 
Notice (NN) file as described in 


the Notification 
previous: section. 


“5 Consent to Disclose Pg 


es w- 


A fo letter may be. legend to the data 


upon a request to disclose. If consent is given, ° 
"cansent” field in-the data subject re¢ord in the main 
"YES." A reference to this "consent" 


file is set. to 


. "consent" field 


Statistical File 


individuals, refused acce 


3.2 Processing. | 


request is. recordel. If consent is denied, 


‘subject . 
the 


the 


is set to "NO." At the same time the 


Moeceds fied ‘d .£or. the number 
s is nerénented by one. 


: 
Py) 1 e 
| 


: os 


* a 


Pl - Periodic Validation a 


of 


The periodic validation .for accuracy, a eg va 


timeliness and completeness is distinguished 


validation ‘upon data input. This requirem #4 ae 


considered good ° 


’ of data integrity. 


- check the entire data base. - 


» lata 


is 


‘ specifically spelled out in .the Privacy Aét. ‘It is 


information management practice to 
allocate certain time and resources for the validation. 


Special software can be written 


to Pe 
The software. can utilize 


the validation routines for data input or can provide a 
sophisticated checking mechanism specifically tailored 
for the application.’ 


e 


P2 - "Authenticating data accesses 


‘- > 


During data retrieval or yeasetias the user needs to 


be  propérly authorized to do the data accesses. 


Password checking or more sophisticated mechanisms must 
the DBMS. However, today's DBMS do 
.' provide some method for authenticating thie user,’ 
this facility can be considered... -as -inherent in ‘the data 


be provided in 


base software. 


aE 


P3 - Retrieval for disclosure! : 


After the user has been authenticated, the 


. * ~ 


¢ 


and 


nature 


ne 


iy . F 3 : 
: . > on 
e a et 


of disclosure is checked. In Appendix II of this 
report, the. "Conditions of Disclosure" have been 
identified. Those that required consent of data 
‘ subject must have the "consent" field checked. Those 
that required accounting of disclosure must invoke the_ 
disclosure accouhting procedure (described later - see 
P6). A retrieval command will produce hard copy output 
to be given to, the requestor. (The Act. places 
restrictions on the’ use of Social Security number; 


: methodology for. retrieving individual records from 
a ae personal data files using non-unique identifiers are 
. ‘descr ibed in (11) 4 f : 


a 
_.P4 - Data’ Update Due to Amendment 


The field .to be dmended -is- retrieved and the 
contents of the field are modified as indicated. The 
disclosure accounting of that record is also retrieved. 
Names and addresses of individuals are generated. 
Letters informing them of ees correction are then sent. 


.ps- Data Purging due to specified record life 


Based upon the condition of a _ specific purging 
requirement, a set of records that satisfied this 


a“ condition is retrieved. The identity, of records and 

Page . Gate of purge are -entered into a separate file for 

_ backup or audit purposes. These records are later 
e deleted from the data base. a . 


Po - Disclosure Accounting. 


‘Based upon the nature of the’ disclosure, flags in © 

the data subject record are set in the master file. A 

3? record in+the Disclosuré’ Accounting file (DA) is. 
' created and data values for each data element specified . 
in Section 2 of this reporteare entered. 


P7 -. Dispute. Accounting 
The "Dispute" field.in the data subject record in 
eae the master file is set. ‘A pointer leading to the. 
record in the Statement of Dispute file (SOD) is 
created and data values for each. ,data element specified’ 
- , att Section 2 of this eepene, are éntered. : 


8 sd 4 


“353 output \. a ; 
| 
; Ol - Publis Annual Notice ; ~ 
. * : : { . 5 4 . 
Every year, before April 39th, the printout of 
: the Public Notice File (Py) is invoked... ; 


. é 2.5 : -10- pp, ° a ° 
etude "15° 


oe” 
® 


oe 


02 - Publish New Use for Existing System of Records | 


The d a element is modified to reflect a the new 
use in t Public Notice file (PN). ‘The eile for the 
Federal: Register announcement is printed at bal 


, 


em 


03 - Output Disclosure ‘Accounting 


speciticWaata subject's disclosure accounting © 


record is printed upon request. 


? . 


. 04 - Output pispute Accounting 
Specific data ‘subject! s dispute soeounting record 
is printed. upon aba ag , Coa, 


05 - Statistical output 


Sal aoe 


‘The Statistic file (STAT) is printed upon eee 


3.4 General Implenen ation Comments . 
ee 
‘.All of the above identified . data bade ~functions are 
easily implementable on any of today's,data base systems in 
the marketplace. Certain functions are available as built- 
in features of a DBMS. These features can Be. used as they 


‘.exist in the software unless more stringent requirements are 


needed. Other privacy requirements. &res not directly 


q 


available in the DBMS and application programs must be «~ 


written. The following table .summarizes-° the previously 


seers wed eng af application programs. 


~ * 


« 


' Outlined data base, functions and shows which functions can.” 
be implemented by inherent -features ‘and which functions. 


. 


» 


Feature.|- ‘Peogram 


TABLE fo _ DATA. i rhahg FUNCTIONS © 
fe 6s 7 AD oe 
~~ fhe specification of functions is..at .a* generic level 
where the ....degree to which the’ suggested action is 


implemented. is<'a management decision of the specific agency. ~ 


For example, software techniques for data validation, or 
authenticating user access... range from very - simple to 
elaborate but costly algorithms. The-amount of validation or 


Takebenk? Application| 


| 
| 
3 a eae 
| ) =A { 
| INPUT | | 
|} Il = -Data Collection | X | : 
| -12 - Data Entry ; | X | 
‘| 13 - Data. Validation I X ‘| : 
th; 14 - Notification Notice | | X 
4 I5 + Consent to Disclose | | a 
| ie 
[Sea Sa eee aor a cilia Le ids em ere as | ---=------ | ------------ 
re . . | i. Ge 
| PROCESSING : | ie iz 
| Pl - Periodic’ Validation~ | bo ae | 3 
| P2 - Authentication .+ — | x a . 
| P3 - Retrieval fot disclosure” a er | X 
| P4 - Update que’to Amendment: I | X 
| P5°- Data Purging | Sill x 
| P6--, Disclosure Accounting. ‘ | 1 X 
! P7 - Dispute Accounting ~~ | of xX. 
ee ie: | | 
. | --+=------- eet o------------ ad ---------| sss e= | a as oo a am am mm 
tia im | | | | 
P BR ia ee . 
t OL = Publish Annual Notice’ ks | : 
_ | 02 =  Publish:New Use~ | | 
“~f{. «03> «= ~=Output Disclosure Accounting 3 | 
| “~@4 - Output Dispute Accounting I, | 
| » @5 “=~Qutput Statistics, Es | 
| Re , | | 
|----- eocen------= wepres pore r rs nnee in e- | --------- | -<----- to---| 


security control needed must be decided by @ach-. individual 


agency. 


4. DBMS FUNCTIONS TO MEET PRIVACY REQUIREMENTS 


-° Yhe compliance data ana proceaures as_ identified in 
' , Section. |Z can be correlatea with the pe functions 
introducéd in Section 3. These DBMS unctions: are 
implementable either via application programs or inherent in 
-+* the data base” software. Those fG@nctions that require’ the 
writing of application programs also depend on the existence 

‘ of the data files described in-Section 2 of this report. 

_ In nets Il, five separate tables are illustrated to 
cover™ the five areas of the (Privacy Act requirements. These 
requirements are trdnslated “into compl fance procedures. The 
compliance procedures can be realized with the 

, pi, dae of the DBMS functions indicated. _ 


, 


. \ . . a 
5. CONCLUSIONS 


Privacy’ Act of 1974 with the use. of today's data base 


* built via application programs, are; identified. ‘These 
“functions can be written in the particular DBMS"s user 
: “Tanguage or the host application. programming language. 
These-»-functions, together with the “supportive data file 
Specifications, can implement «those privacy complian¢ge 
Ce procedures that are suggested to be automated. : 
Tne impact of Privacy Act compliance” ‘on the. use and 
jesign of DBMS are assessed ; ' 


5.1 Use of DBMS. to epmpty” 


- Does “the use of DBMS significantly ‘improve the 
capability of meeting Privacy Act requirement? The answer 
to that question is that, the privacy law compliance is ‘not 
necessarily a justification for emptoying a generalized data 
base management. system. However, it alleviates certain 

vows. Manuad bookéeping activities and therefore provides more 
consistent. journaliing by the computér without human errors 
or omission. Somé benefits as well as some negative impacts 
of the use of a DBMS to achieve compliance are enumérated: 


1g 


An innieedntation strategy for complying: with «tne 


Management systems is described. A’set of DBMS functions, | } 
, either inherent as_ built-in data. base features, or tobe 


Benefits: 


1. The existence of a-DBMS will make the _ implementa 

tion ,of ‘Privacy Act requirements more uniform . 
throughout the data-processing user commurity, a a ps 
‘substantially simplify the job of administration. 


io 2. DBMS will be able to respond to changing require- 
ments more flexibly and;easily. Thus, if new re- _ * 
' quirements emerge, DBMS will allow, certain logical ; 
changes without significantly affecting the existing 
TADBLIGHELONS 8 


3. With,the increased awareness and emphasis on. data 
base system security procedures and data integrity. 
mechanisms, the inherent capability of DBMS can _ be 
‘used advantageously in support of compliance: ‘of the 
Privacy Act. : hae ee 

ri 4. Usage of application. programs weitten for .Privacy. 
-*s »  *Act compliance  can.be monitored for auditing ‘the 
ddministration of: thé Privacy Act. : 

5., The use.of DBMS facilitates the -reporting.. sta- . 
tistical and summary: data. For. example ;. mee re~ 

“= ' ' porting of statistics suchas the number of. disclo- 
2 ‘sures per week or the number’ ‘of disputes being -° 
‘ ’ . amended can quickly be. Acconpireiied with ae use. of. 
DBMS. ° . . ; 


~« 


Swgutde neponens 4 a 6€ Me 


gh Oe ‘1. The data base’ management approach increases’ the 
flexibility for interrelating data and for browsing, 
especially in an on-line accesS (local. or remote) 
, environment. This may facilitate unauthorized use of. 
data. Therefore, me GUaGY of computer ERE EEES must 
be considered. : 
, fa B centrally maintained data base increases the po- e 
gee _ > tential consequences ‘of data base destruction, so 
backup proviaiins must be, made 


5.2 Levels of Automation md 
a . 


: Automation in this context refers to privacy compliance 
activities’, that are performed by a computer with data ‘base 


ee ical oa ‘software.. Several possible alternative levels 
exist: ; , 


A. All manual system ee LES 


“ paper file is retained. ? 


e 


B. Data subject records flagged aur ia but a 


pelea aalicie tecoras. flagged automatically with - 
2 . separate automatic journalling of disclosure 2an8 
s, prepuce accounting. J ‘ 


: 7 Level A - The all manual status reflects the majority. 
“3 Agencies information. Management practices today. This is 
rtly because the Privacy Act has only been in effect since 
haptenhes 1974 and- the agencies are just beginning to 
& develop. and design compliance procedures. Also some Sta aes 
- "© have not fully “converted from second generation d 
processing techniques to the use of a DBMS, and no ‘softwa 
has been ee ee > 


Level B'- This level’ requires a minimal amount of ' 
- software effort if the data subject records are already” 
automated with the,use of a QBMS. Some agencies require the 
; Manual paper ,'file to be kept as evidence’ of actual written 
~ letters for requesting access or ‘disclosure. This is used 
_.* aS proof of authenticity. Therefore, developing software to - 
provide for disclosure accounting ‘and disputing accounting 

y will be an additional effort. of whee ° , 


, is : ‘ 


. 


; Level C - This is the level where most of thé «compliance 

om, procedures are automated with the exception of issuing 
‘ i,* letters. for acknowledgement purposes. There is no _ reason 
why the letters could not also be generated by computer. 

The functions specified in the report, if properly 
_ incorporated. in a DBMS, could achieve a high degree of 
a 2 automation. *The functions listed,also reflect a reasonable 
“ss level of senpssances . 


4 


®Oo- 3 Problem preae i” : 
The issue of level of compliance is left to _ the 
agency's decision. In the areas where the Privacy Act 
requiresya logging activity or issuance of an announcement, 
compliance is straightforward. However, in the areas of 
“seeurity control and data integrity, just sahil much is enough 
is not ae a > 


A precise definition of minimum level of. privacy 
oe compliance does not -exist. There are also some areas where 
* +. the law is open £0: interpretation. ° Por’ example: . 


2s 


- Keeping saan of gveteudees to secondary and 
’ ™ tertiary users. ; 


! 


oe 


. _ 4» 29 


“functions described.” Meg A 


level of. campliance. 


‘ Safeguarding against inferences being. made on. the 
data. ‘ t 


.‘ Keeping track of a data subject's consent-for a ne 
routine use on an existing system of records. 


Such compliance procedures may prove to be prohibitivelly 
costly to’ implement and could unnecessarily over-burden) a 
data base system. a7 : WA © of 


5.4 Summary eee 


rs ' 
. 


The approach’ of using DBMS to:comply with the Privacy 


‘Act represents, an ad ,hoc’ solution using today's systems 


rather than- complete redesign of systems. Privacy Act 
compliance is, not necessarily a justifis ation for employing 
a DBMS, howewér, ‘if an agency is using o is. contemplating 


“the use of a DBMS, it appears’ that privacy compliance 


Procedures can be easily InEOrparaned with the data hase’ 


The “degree to -which eit suggested actions are. 


implemented. is a management decision of the specific agency. ~ 


However, the suggested functions reflect an achievable 


* 


‘The administration oft “compliance can’ be made easily 


} 
J 


Sn 


accountable. In particulay,. this means the operating cost 


of Privacy compliance will be easily identifiable via 
software logging. This factor alone benefited the use of 
DBMS for Privacy compliancé. ; . 

: * ‘ 

The use of DBMS means a more stringent administrative 
control with the operating envir@nment. The complexity of 
DBMS environment requires - knowleq@geable system personnel 
and data’ base administrators to \ontrol data accesses and 
systematic logging and reporting, hysical security needs 


4 


e 


to be tighter to alleviate the fear of potential . 


destruction. Hardware and software need:to be "certified" 
for belsabultey and quality assurance. 


The use of DBMS imposes a more. sophisticated requirement 
for access conttol and data integrity checks in the data 


inadequate protection mechanisms for providing controlled . 
accésses. More research in * security and integrity © 


techniques. is needed in future DBMS to achieve adequate 


security measures. ; ~ 


‘base system. Today's DBMS supplied by the vendors have 


3 
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2, APPENDIX I - PRIVACY ACT REQUIREMENTS 
; A 


There are a number of ways one \can classify the 
Privacy Act for analysis; the Act a specifically men- 
tions the "collection, maintenance, uSe, and dissemination" 


‘of personal information, but follows a somewhat different 
‘breakdown in the body of the legisl&tion. This breakdown is 
chosen so that it accords more or Jess with the flow of in- 


formation to, from, and within an-6rganization, as such a 
breakdown appears most useful ‘to the information specialists 
for whom this report is written. Specifically, the Act will 


‘be ‘considered from five viewpoints: 


- collection of information, - 

» Maintenance and use of information 
(by the maintaining agency), © ° 

- data subject access to and amendment .of information; ' 

» non-routine-use and disclosures of SPECTR EAGT and . 

F public notice requirements. 


. 


+ This section is a brief summary of the eequhvewenve of 


the Act, and should not be used as guidance for general com- 


pliance with the Act's provisions. For official guidance, 
the reader is referred to’[(2,4]; other guidance may be found 
in [3,5,7,8]. It is assumed that the reader is“ reasonably 
familiar with terms specific to the: Privacy Act, such as 
"system of records," "disclosure," etc. These terms are de~ 
fined. in the Act. : 


Collection .. : : vy 


Clearly, the, Act. intends that agencies only collect in- 
formation that. is "both relevant and necessary for an agency 
purpose authorized by ’ statute or .executive order" [5]. 
Furthermore, information collection on the exercise of First 
Amendment rights is -- with minor exceptions -- specifically. 
prohibited, ‘If information may, be subsequently used to make 
an adverse determination about ‘an individual, then the col- 
lecting agency must. strive to collect that information 
directly from the individual himself; if colléction from a’ 


third party is necessary, then the.agency must attempt to 
‘verify such information with the individual. When distri-. 


buting a request’ for information, the request should be ac- 
companied by an explanation of what the information will,‘ be 
used, for, and under what author) it is ‘being collected. 
All information collected--regardless of sourcd--must . be | 
verified by. the collecting agengy. Reasonable efforts must 


_be demonstrated by the agency to nsure ‘its. accuracy and 


relevance. Furthermore, the in ation should be noted 
upon receipt if it is (1) from a third party, and if so, 
whether verified’ with the individual or mete" (2) obtained 


"OS, 


. 


with an explicit promise of ‘Confidentiality; and (3) sensi- 
tive in nature (medical or national security information, 
for example). i 


at 
maintenance and Use 


m Agencies must maintain and use their personal informa-— 
tion records in a manner tnat ensures fairness to the indi- 
viduals in question. They must°take reasonable precautions 
against misuse of information, and against use qi ‘incorrect 
Or out-of-aate intormation. In particulat, they” must’ pro- 
vide training ‘for employees in the requiremegts of nayion. 


if those employees will be handling personal information. 

They must at least annually review information on file to 

ensure that it is not a record of the exercise’ of . First * 
Amendment EAGT and generally to ensure that all aspects Sa 
of the Privacy’ Act are continuously being adhered . to. (this 
is the. ““gnnual - review" of the Act). In addition, agenties 

must” purge* recoras after their®useful life has ekpired, but’ 
must retain the accounting of disclosures of records (see oe 
"Non-routine-use ‘diisclosures") for at -least five years’ after aiid 
the accounting waS made, or for ‘the’ life of the, record, 
whichever is longer. Normally, agencies will énly disclose 
information (1) within thee agency, to those employees who 
have a'‘need to know the information for the regular perfor- 
mance of their duties; or -(2) outside the agency, for an es- 
tablished "routine use." Exceptions to these two' conditions 
are discussed. under "Non-routine-use disclosures," below. A 
"routine use" is established through the publication of an- 
nual reports and notices: see ee uetee notice requirements." 


: Furthermore, agencies must ensure the confidentiality 
and security of personal records by “establishing appropri- 
ate administrative, technical, and physical safeguards". (1) 
against any anticipated breach of confidence or physical in- 
tegrity. Agencies. woula also be wise to consult legal coun- 
sel ‘regarding: certajn issues of records use, such as whether 

“ the.copying of all or portions of a system of records for 

“internal agency ‘disclosure constitutes itself the.creation 
of a new system of records. 


Access, Amendments, and Disputes ue 


The Privacy Act guarantees that an individual be able 
to .determine the existence of any information about him in 
any agency's system of records, and that he be able to see, 
have a copy of, and correct such records. Thus agencies are 
called upon. to establish procedures to provide these tour 
guarantees. when disclosing information to a requesting in- 
dividual, however, the agency can filter the information: to 
remove: (1) items having’ possible adverse effects on the in- 

_G@ividual — (medical information, - for. example) ; 


oS 
+ 


. 
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(2)-confidential sources of information (if an implied . _prom- 
ise of contidentiality was given to the source before Sept 
1974} or an explicit promise after tnat); (3) CIA or crimi- 
nal law enforcement information; (4) classified national de- 
tense information;a (5) information about protection of the 
President, of the U.S.; (0) information required ‘by statute 
to be for statistical purposes only; (7) investigatory ma- 
terial.compiled for employment checks; (8) testing and exam- 
ination material for employment; and (Y) information regard- 
ing: “future promotions (in the military). ‘> | 

Each access by an indivigual to his own recoras is: to 
be considered a disclosure by the maintaining agency, and as 


‘such, must be logged in tne agency's accounting of ‘disclo- 


sQxes (see "“Non-routine-use disclosures"). ‘In addition, if 
the indiviaual so requests, the agency must: proviae access 
to that accounting of disclosures, so that an individual may 
determine what information ‘about him is being disseminated, 
to -whom, and for what purpose. The agency may not require 


“that the requesting indiviaual know particular identifying 


codes or numbers unigue to the system of recoras in question 
in order to’facilitate the agency's finding relevant ‘intor- 
mation; it must be sufficient that he know such common par- 
_ticulars as name, age, place of birth, residence, etc. The 
- information so disclosea must be in a form comprehensible - to 
the requesting individual, and tne individual. may, if he 
wishes, be accompanied by a person of his own choosing. 


: Of pivotal importance to, the letter and spirit of the 
Act. is tne requirement that an individual be allowea to 
correct erroneous ihformation about himself. Thus agencies 
must, establish procedures to permit individuals to submit 
corrections to their records. If the agency acknowledges an 
individual's correction, it must make the correction and in- 
form all previous racipients of the erroneous information of 
its corrected content. -Should the agency determine, howev- 
“-@r, that ‘a correction is unwarranted, it must permit the in- 


“dividual: to tile a statement of dispute. A notation of that’ 


statement must be made integral to the record in question, 
and the dispute statement itself must be included witn’ sub- 
sequent disseminations of the record. The agency may also 
‘file its own reasons for denying the correction, and dissem- 


inate those’ reasons along with the record and associated 


dispute statement. 


Non-Routine-Use Disclosures 


not for a publisned routine use, and not to the individual 
subject of the records, then in general. the agency must ob- 


tain permission from the subject to make the diselosure. . 


=e 


Even with that permission, however, Sopesaeuee, is tat: the 


isclosur ek ntotetlon dagot. ag th re ee CHET i aa 


ts 


«< 
s 
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; t - 
agency's discretion. Exceptions to this” requirement. for 
. permission occur in -cases of disclosure to the following 
(parentheses indicate MGeESet disclosure is ay the agency's 
discretion): ee ge si ‘ : 
-. to Conijrade ididerweronaey) 
for law enforcement (discretionary, ~- 
“unless overridden by statute) 
» urider ‘compulsory legal process (not, discretionary) 
» in an,emergency (discretionary) - 
» bor statistical purposes (discretionary) 
- s» to the Census, GAO, or National Archives 
ies -vemems (discretionary, treated essentially the same + 
' aS a routine use disclosure) 


i 


‘ It‘disclosed to other than another” goverment. agency, 
.information must’ be verified for accuracy, relevance, timel- 
_riness, and completeness and filtered to remove information 
not relevant to the request. If a statement 8f dispute is 
relevant to the ‘disclosure, that statement must of course be 
included. An accounting of the disclosure must be made. 
Information disclosure may be requested under the Freedom of 
Information Act, and if. that Act is relevant, disclosure may 
not be daniel, nor need an accounting be kept. 


* 


as 


Public Notice. Requirgments 


*A fundamental provision of «the. Privacy: Act that echoes 
the HEW Report (9) ° is that no system of records can be 
secret in its very existence. To this end, the Act requires 
extensive public announcements concerning each agency's sys- 

tem of records.y and certain’ announcements to the Congress. . 


a 


‘Public. notice must be given (in*the Federal Register) 
(1) of any new system of records; (2) of any new routine .- 
uses for existing systems of records;:and (3) annually for 
all systems of records. A significant change, say in the 
number, type or ‘categories of individuals in the system, or 
the potential for access to existing records, can. trigger 
tne requirement’ for a.new system of records notice, ~. Furth- 

_ ermore, agencies must report to Congress on their activities 


» 


. under the Privacy Act. Specifically, they must provide a 

¢ ‘report (1) on any proposed new system of records, and 
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